We’ve gone round and round on the challenges of doing security. As Shack says, your users just don’t give a f***. Actually you need to read Dave’s post. It lays out a lot of the issues we face every day. I’ll rephrase Dave’s point a little differently: apathy rules, and always will. Your employees are not paid to worry about security. They are paid to do their jobs, and more often than not security gets in the way of their actual responsibilities. Remember – the cold, hard truth is that security necessarily restricts access to some degree because there is no other way to protect information.
As with most things Dave does, there is some collateral damage. Namely security awareness training, but I don’t entirely buy his recommendation to just stop trying and discard it. First of all, how can we expect users to understand what the hell they are supposed to do and not do, if we do not tell them? For a portion (dare I say majority), it’s not useful. But the training will resonate with some. Every organization has to evaluate whether the investment pays off. Yet, clearly a big issue is the crappy training we subject employees to. Forcing employees to sit through an hour of water torture awareness training via slides and policies wastes everyone’s time. I also believe training users to survive on the Internet is as much a life skill as a work skill, and diligent organizations should be teaching their employees these skills because it’s the right thing to do. But that’s a different story for a different day.
What I really liked about Dave’s post is his focus on taking many of the decisions out of the user’s hands, stopping them from doing stupid things. Basically protecting them from themselves. As we’ve been saying for years, this involves locking down devices and adopting a default deny stand wherever you can. Tactics like whitelisting and NAC can help enmake sure folks don’t install bad things and get to the wrong areas of the network. That’s all good. And it’s similar to my Positivity concepts.
But it’s a bumpy road. Mostly because users don’t want to be saved. They want to do what they want to do, when they want to do it. Don’t tell them they can’t use Skype. It saves the company money, right? Don’t tell them they can’t share credentials. They are saving time, because IT is so responsive to those provisioning requests. And don’t tell them they can’t roll out that new application to a few million users. That new app will change everything and drive all sorts of new revenue streams. Along with apathy about your charter to protect information, expect tremendous resistance to changing user experiences or adding hoops to any process. Regardless of the security/information protection benefits. Remember, users don’t give a f***.
But let’s get back to the idea of Building Security In, which is another of Dave’s tactics, to address the fact that users couldn’t give less of a crap about security anything. The challenge is to get developers to change their behavior. You know, to do the pretty straightforward stuff that eliminates the easy application attacks. I know we have to continue fighting the good fight about application security because crappy, insecure code is a huge part of the macro problem we face in protecting information.
I’ve looked at this issue up, down, left, right, and sideways. I don’t see another option, besides increasing the corporate loss provision and devoting most of our resources to cleaning up the messes. Things are going to get worse before they get better. I should say: if they get better.
We can also address the issues at the application layer. Building Security In continues to be a goal of many organizations. There are plenty of issue with making this happen, but none more acute than the skills gap. Even if organizations want to do the right thing, they probably don’t have the expertise and resources to do anything. Details, details. Adrian is on a panel at Black Hat next week with some really smart folks including Jeremiah Grossman, Alex Hutton, and Brad Arkin talking about doing application security at scale. Maybe they’ll have some answers.
Given this backdrop, it’s easy to be despondent about doing security. With good reason. Which is why acceptance needs to become your favorite word. You sanity literally depends on it. There is only so much you can do. Really. Sometimes it’s a technology issue. Sometimes it’s a political obstacle. Often it’s a business decision to accept a certain amount of risk. All these things can make you crazy. But only if you let them. That’s a key aspect of my Happyness presentation. You can’t own the responsibility to make your organization secure. You can only do what you can do.
I know, easier said than done. It’s hard to come into work every day and feel like your contributions don’t matter. I assure you they do. Imagine the anarchy that would prevail if you didn’t keep fighting. So do what you can, and then go home. Seriously. Go home and accept that your users don’t give a f***. When you aren’t able to do that, you know it’s time to find something else to do.